[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

High Volume MTA to replace smarthost for outbound email

Posted on 2011-10-19
25
Medium Priority
?
817 Views
Last Modified: 2013-11-10
We currently use our ISP's smarthost for sending out automated noreply emails from our system. We are sending around 20000 emails a day and the ISP has asked us to sort out our own MTA as the load is getting a little high for their comfort. Current SMTP Connector is installed on Server 2003 and forwards all email sent to it from our daemons to a external smarthost.

I am looking for recommendations of what would be the best replacement solution.

There is no need for receiving incoming email.
Currently I am considering each of the following,

1. MS Virtual SMTP Server Connector as MTA - it is currently using this to forward to the smarthost
2. Install Postfix on a Linux server and use this as a smarthost
3. Use an third party provider's smarthost in the same way we are using our ISP's at the moment

My main concerns for each are the following:

            Would it support sending 20000 emails a day?
            Would you recommend SPF record for sending domain to decrease change false positives (SPAM)?
            Can DKIM be configured on each?
            Which methods are more prone to blacklisting assuming they haven't been comprimised?

This is a mission critical service and it needs to work. If sending domain or IP is blacklisted or filtered by any other servers it would be disastrous. Due to this my main prerequisite is reliability.

Could anyone with experience please give me their opinion?

Thanks
0
Comment
Question by:thenos
  • 10
  • 9
  • 6
25 Comments
 
LVL 6

Expert Comment

by:Em Man
ID: 36997925
actually this kind of volume will be an issue for reputation.

but here's my take.

Create a Postfix and make sure it is not an open relay.
put an SPF to make sure only allowed server can send emails from your domain.
add DKIM just to add responsibility from your side.

sending 20,000 emails a day, will cause email reputation and you might not like it be 50%-60& of those emails getting bounced-back.

The best if willing is to have a 3rd party Email Campaign to do the job, but it will cause you $$$.

Just my thoughts :)
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36997936
I would choose #2, and my reasoning for this can be found in my following comments.

Would it support sending 20000 emails a day?
Absolutely.

Would you recommend SPF record for sending domain to decrease change false positives (SPAM)?
You should always use SPF for any sending domain.  Keep the IP's you use for these mails separate from your main mail flows, such as regular corporate mail.

Can DKIM be configured on each?
Postfix can be easily integrated into postfix using opendkim.  I have both running now and it's pretty straight forward, but can be daunting to those new to the concepts.  I can help with both.  To my knowledge there is no native DKIM signing functionality for Exchange, you have to pay for 3rd party apps to do this.  If someone knows otherwise, please comment.
Which methods are more prone to blacklisting assuming they haven't been comprimised?
If you setup SPF and DKIM along with a matching A/PTR for your sending server(s), and don't use spammy words like "IMPORTANT!!!!" in your mails, you will avoid most if not all blacklists.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36997948
You have to be careful about the volume you send as well, as that is a factor in your overall sending reputation.  20k mails in a day isn't that many and will probably still keep you in the Low volume group, but if you can send to a smaller audience for your first few mailings from your dedicated IP's for these mails, that certainly wouldn't hurt.

You can check your reputation at http://www.senderbase.org and http://www.senderscore.org
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
LVL 6

Accepted Solution

by:
Em Man earned 1200 total points
ID: 36997949
also, aside from this

you might also want to remove tracking codes, spam fitlering appliance nowadays are very strick.
and always check you reputation daily using the following.

www.mxtoolbox.com
www.senderbase.org

you might want to check from time to time from the list of RBL site.
Most appliance are blocking IP base on Magnitude of emails being sent.
first you might notice will be a Delay of those emails for 2hours.

last tip:
Assigned Public IP just for this Campaign/Blast. :)
Carefull with those words you use in your Subject Line. :)
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36997954
Postfix can be easily integrated into postfix using opendkim.

Woops!  That should read DKIM can be easily integrated.
0
 

Author Comment

by:thenos
ID: 36997964
Great answers!

FYI: We currently send this volume (20000/day) out using a domain with no SPF, DKIM or matching A/PTR and don't receive any bounce backs. I guess emails could be getting classified as SPAM at the recipient's end but we normally receive notification of this by the client missing deadlines and yelling at us which hasn't happened in at least a year.

I am worried this experience gives me too much confidence so I want to make sure I do my homework first. Keep it coming please!
0
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 800 total points
ID: 36997968
Setup postfix+opendkim
Add SPF record
Match A/PTR
Don't use spammy words, include opt-out link (this is mandatory).
done/done.
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36997972
+send from dedicated IP(s) separate from other mail flows
0
 
LVL 6

Assisted Solution

by:Em Man
Em Man earned 1200 total points
ID: 36997990
- You need to separate your "Blasting Relay/Campaign" from you "regular" email communication.
- both has separate Public IP to avoid reputation problem.
- Postfix has a tool/script to report how many are received and how many are sent, which domain got a lot of bounce then email the result to you.
- you need to have a double opt-in or single opt-in and easy unsubscribe button from those campaign mails. you don't want your customers or client to hit the SPAM button rather than the Unsubscribe button.
0
 
LVL 6

Expert Comment

by:Em Man
ID: 36997996
if only takes a day to be blocked, but it will take months or years before you will be remove. lol

prepare for this reply:
"fixed first your reputation before we will allow your domain/IP to pass"


you are sending 20000 a day, we have a total of 4M a months... hahaha
still we have a good reputation. :)
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 36998000
Pff we send >4M an hour :p

Hello again taga :)

Looks like I have some new "competition" in the enterprise email arena ;)
0
 
LVL 6

Expert Comment

by:Em Man
ID: 36998018
@papertrip:

II will just be second to you hehehe... (you have the shield :D )

before I replace the previous EA, it was my first aim to solve our Poor Reputation.
we've been having Poor Rep for years and I am not sure if they tried fixing it.

but whew! I learned Linux the hard way... lol
0
 

Author Comment

by:thenos
ID: 36999957
Ok, so I guess I should change the title to "low to medium volume"... :o)

Anyway, the SMTP Virtual server in IIS that current relays all internal email to our ISP's Smarthost seems to handle the load ok at the moment.

Would using DNS to lookup MX records and send email directly, using SMTP Virtual Connector as an MTA instead of arelay to smarthost, use much more resources when talking about 20000 emails a day and assuming SPF, DKIM R/PTR are setup correctly for sending domain?

FYI: Email relay machine is a Dell PE1750 with Xeon 2.4Ghz and 2GB RAM under average of 30% load
0
 
LVL 6

Expert Comment

by:Em Man
ID: 37000126
hahahaha... and that 20,0000 is low? yaiks!

Good for you... nice Reg. hehehe

We only have virtual machines with Windows 2003 that has 1GB or RAM and 5GB space available. ahehehe... lol


The sending of emails depends on how those Firewall appliance reacts to your relay, so no matter how fast your serer are, it still depends on how those firewall appliance treat your mails. :)
if they want to delay your mails you cant do anytime. :)  imho
0
 
LVL 6

Expert Comment

by:Em Man
ID: 37000186
sorry:

@papertrip: "hahahaha... and that 20,0000 is low? yaiks!"
0
 

Author Comment

by:thenos
ID: 37000440
No problems with firewall we have a 4ms ping to 8.8.8.8 (Google DNS).

What I really want to know is, our setup as it stands works perfectly.
Is it much different  to use the same setup to send email direct (using DNS) from IIS Virtual SMTP Server instead of relaying it to a smarthost?

taga:
When you say "those Firewall appliance" I assume you mean all firewall appliances between the sending server and the recipient. This should only change very slightly from the current setup as all that will possibly change is the actual external IP used to send the mail from. This new IP will be on the same physical and geographical network as the previous.

Also what impact will changing the IP address used to send have on SPAM filtering if no SPF record exists in the existing setup but will in the proposed?
Do any mainstream SPAM services use any method other than SPF to keep track of what IP addresses emails for a particular domain are coming from?
0
 
LVL 6

Expert Comment

by:Em Man
ID: 37001143
On Changing IP:

My way: give that IP a specific domain to relay emails probably around a 200-300 a day, before giving the entire email campaign, if you supply it directly with 1thousands of emails definitely it will be detected by Spam Filtering Appliance(or firewall appliance) having a magnitude of emails going out. there is a big possibility it will be delayed.

No SPF:
most appliance are design to look for SPF configuration in your DNS, in this way they can verify that the originating IP is indeed from your Network, it is highly advisable to have an SPF if you have that magnitude of emails being sent out specially this is a new IP address being introduced.

Tracking IP:
The activity coming from that IP obviously is being recorded by most ISP appliance, most of the time they are relying on RBL, once your IP is being blocked by one RBL site, others will follow blocking that IP address it will happened in minutes without you knowing it.

Your Question:
Is it much different  to use the same setup to send email direct (using DNS) from IIS Virtual SMTP Server instead of relaying it to a smarthost?

None Actually, its the receiving Spam Filter Policy will decide if your emails gets thru/delayed or not.
0
 
LVL 6

Expert Comment

by:Em Man
ID: 37001224
when I say "those firewall appliance" I am referring to those who receives your mails.
(sorry for the confusion)

Your New IP will be treated New.
What happened here, is that when that new IP sends volumes of emails, SPAM Filtering appliance might think you have a Dynamic IP(one way to be blocklisted), so before supplying it thousands of emails, I will suggest supply it with lesser traffic of emails for maybe a month. if you can't wait that long and you want that new IP blasting emails then go ahead as long as you know the risk. :)
0
 
LVL 6

Assisted Solution

by:Em Man
Em Man earned 1200 total points
ID: 37001275
Sharing:

- Always Monitor your Bounce Mail and Analyze this regularly.
- Process UNSUBCRIBE ASAP.
- Carefull for MailTrap or HoneyPot. (Only spam goes to this address)
- Secure your Mail not to become an OpenRelay.
- Make your UNSUBSCRIBE button visible. Clicking Spam button is easier for clients to see, than most commonly used unsubscribe button. :)

Good Luck and Hope we Help :)
[time to sleep lol]
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37001441
Taga went to sleep, and I just woke up.

Seems we haven't made much forward progress with this yet, but at least some questions have been answered.

@Thenos, what else do you need to know?
0
 

Author Comment

by:thenos
ID: 37004171
I think that pretty much clears up my questions/concerns.

I am leaning towards using the SMTP virtual server as an MTA to send email direct and slowly adding email traffic to the new IP as taga_ipil suggested. Before commencing this I will add an SPF record with both the old and new IP's, setup DKIM and also a R/PTR.

I think this would be the easiest solution as it would only require very minimal changes from the way things are setup now when working perfectly. We should actually see am improvement as no SPF etc at the moment...
0
 
LVL 21

Expert Comment

by:Papertrip
ID: 37004262
I mentioned warming up the IP too, but I wouldn't be heavily concerned with only 20k/day, however if you can lighten the load at first it definitely won't hurt.

Are you sure you will be able to DKIM sign using that virtual server without handing over cash for some 3rd party app?
0
 

Author Comment

by:thenos
ID: 37004282
Excellent point. Sorry, you did mention it previously as well.

Might start SMTP Virtual Server with SPF and but have Postfix setup and ready to go on different IP so that email can be relayed out a different IP if any problems with inital volume on new IP. This will at least give me a second change if the first new IP does get blocked.

I will maybe add DKIM down the track as it seems it is not essential though could potentially avoid some potential future issues if implemented correctly
0
 
LVL 21

Assisted Solution

by:Papertrip
Papertrip earned 800 total points
ID: 37004298
It's as essential as SPF.  As you already know, you don't have to have these things in place to send mails, but you should.  SPF and DKIM should be used in conjunction with each other -- neither are the end-all for anti-spam/phishing/spoofing, but combined they offer even more protection of your domains along with higher inbox placements vs getting flagged as spam.

All mails should be DKIM signed and all domains should use SPF.
0
 

Author Closing Comment

by:thenos
ID: 37004307
Thanks for your advise guys. I think I am now ready to start some testing!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This month, Experts Exchange sat down with resident SQL expert, Jim Horn, for an in-depth look into the makings of a successful career in SQL.
Last month Marc Laliberte, WatchGuard’s Senior Threat Analyst, contributed reviewed the three major email authentication anti-phishing technology standards: SPF, DKIM, and DMARC. Learn more in part 2 of the series originally posted in Cyber Defense …
In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…
This video demonstrates how to sync Microsoft Exchange Public Folders with smartphones using CodeTwo Exchange Sync and Exchange ActiveSync. To learn more about CodeTwo Exchange Sync and download the free trial, go to: http://www.codetwo.com/excha…
Suggested Courses

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question